I have read about the inverse of SF. To start I know this is bad and less than optimal. But here is the situation. I assume my thinking on this is flawed and wanted to know if I am right or wrong here.

I have users authenticating to a webapp that is controlled by the shared hosting provider. It is not secured; it comes over plain HTTP on 80. I do have control to my own secure services on 443 with a proper cert on my domain. I created a subdirectory (it is not a wildcard cert), that is just a full page iframe that goes to the auth page of that shared hosting service. My rationale for loading a HTTP frame over a HTTPS connection is that is loaded securely through the tunnel and runs around my server on their internal network instead of public internet. In theory that is not as bad. Is that even a remotely safe assumption?

This is not a permanent thing, but I need some kludge in place until I can shift gears and get rid of this.

The contents of IFRAME elements are not served by the same server (i.e. it's not a proxy). The browser will go directly to the location specified for the IFRAME to load the content. You are not securing the subpage in any way by loading it inside an IFRAME on an HTTPS page.